This is the largest fine imposed in 2022 by the authority, which indicated last year that it was launching a campaign of checks against sites that do not respect the rules on these web cookies.

This sanction is also one of the last of this cycle and the Cnil has already announced that it is turning to irregularities within mobile applications.

Microsoft is first sanctioned because French Bing users could not, until March 29, refuse all cookies without going through a tedious setting.

These cookies are small computer files installed by websites on the terminals of their visitors, for technical purposes or targeted advertising.

The Logo of the Cnil (National Commission for Computing and Liberties).

Photo taken on February 16, 2010 in Paris © LOIC VENANCE / AFP

In particular, they allow advertising agencies to trace the user's navigation, in order to be able to send him personalized advertising related to his centers of interest.

They are regularly denounced for the invasions of privacy they can cause.

"The Restricted Committee noted that making the refusal mechanism more complex amounts, in reality, to discouraging users from refusing cookies and encouraging them to favor the ease of the consent button appearing in the first window", writes the CNIL in a statement.

The commission also identified the installation of two cookies without the prior consent of Internet users, while they served advertising purposes, including the "fight against advertising fraud", i.e. the consultation of advertisements by robots.

On this point, the restricted formation of the commission ordered Microsoft to modify its practices on the “bing.com” site within three months, under penalty of having to pay 60,000 euros per day of delay.

"Up to 2% of global turnover"

"Even before the start of this investigation, we fully cooperated with the CNIL and introduced key changes to our cookie practices," a Microsoft spokesperson told AFP.

"We are nevertheless concerned by the position of the Cnil on advertising fraud and believe that it will harm the general public as well as French companies by contributing to the generalization of online fraud", he added.

For these breaches related to the European ePrivacy directive transposed into French law in the Data Protection Act, the Cnil could impose a fine of up to 2% of global turnover.

In its press release, the Cnil justified the amount of the fine "by the scope of the processing (of data), by the number of people concerned and by the profits that the company derives from the advertising revenues indirectly generated from the data collected by cookies", much less than those of Google and Facebook.

The online search giant and the social network had been sanctioned at the end of December 2021 by the Cnil with fines of 150 and 60 million euros respectively for similar breaches, and had been forced to comply within three months. .

Google had announced changes to this effect in April and the Cnil had announced in July that it would close the injunction issued against Facebook, after the company set up a button to accept "only essential cookies".

Google and Amazon were also sanctioned at the end of 2020 with fines of 100 and 35 million euros for failure to provide information prior to the deposit of cookies.

© 2022 AFP